As you might be aware this Friday 11th May there was a massive global outbreak of a new type of crypto virus dubbed WannaCrypto (aka WannaCry). Major locations hit included the UK (Health sector including Hospitals and GP Surgeries), in Spain Telecom giant Telefonica were targeted (along with Portugal and Argentina telecoms) and institutions in Russia. Over 140 counties have been affected and over 200,000 systems were affected.
This article provides an anatomy of this ransomware and some steps to prevent such an attack in the future.
How was the UK affected?
The NHS was crippled (more than 46 hospitals and many GP surgeries reported the malware spread) having to resort to pen and paper for day to day activities, patients were turned away, important data such as scans and personal test results were lost, planned surgeries were cancelled, we could easily say that lives were at stake as sometimes more critical operations had to be postponed or done without important tests/scan results. This was the stuff of science fiction being played out in real life.
Facts about the WannaCry cyber attack:
1. The fastest spreading malware ever (over 140 countries with a large number of affected endpoints in a matter of hours)
This link shows the spread over time. The animation was made possible because the authors of MalwareTech were able to hack into one of the Command and Control domains and gain control over it so they can trace the incoming call home requests from the hacked machines (keep in mind that this does not depict the whole spread of the virus as MalwareTech operated in EST time and the spread in Europe and Asia was already going for some hours).
2. The virus exploited a vulnerability in Windows OS systems that was used for years by the NSA (and GCHQ) but only revealed for the public a couple of months ago
Security specialists are quite split in their opinions about the leaking of this exploit.
One opinion is that the vulnerability should never have been leaked preventing bad guys becoming aware of it and hence they would not be able to exploit it. This approach is Security through Obscurity or the ostrich effect – dig the head into the ground and if you cannot find it, it does not exist.
The second opinion is that not a single discovered vulnerability should remain hidden, the more people are aware of the threat, the more people can react to it. General security admins had more than two months to patch their systems as an official patch from Microsoft was released pretty quickly after the leak.
Many government and large organizations (due their sheer size and bureaucracy) are still running Windows XP (long time a dominating OS for the whole world) and since XP is out of life and support, there was no patch for it.
3. Kill switch – the virus had a kill switch designed by its creators, a hidden long domain that if alive will make the virus stop spreading. A researcher found it by looking at the malware (reverse engineering it) and he was not really sure why the domain was there, he registered the domain and luckily helped in stopping the spread.
4. Botnet Command and Control(CnC) centers were located in TOR (the onion router)
CnC is very important for Crypto Viruses as these are usually created not to destroy but to extort money out of people who want their files recovered and recovery is done via a backchannel in TOR supplying the key. TOR, also known as the Tor Project or the Onion Router, is an online anonymity network designed to conceal its user’s identity and online activities.
If people pay and their files do not get recovered the rumor spreads and other victims accept their losses and do not pay anything. The current estimation for infected systems with encrypted files is more than 55,000 and attackers want an average of 300 USD for file decryption, that amounts to a hefty sum (if 20,000 users pay, that is over 6 million dollars).
5. The attack is heavily customized with detailed interaction between user/victim – The information displayed to the user explains in detail what has happened and what needs to be done (how to pay) to recover files and it is translated and shown in 28 languages
How does the attack work?
The malware uses a vulnerability in the SMBv2 remote code execution in Microsoft Windows. The exploit (codenamed “EternalBlue”) has been made available on the internet through the Shadow Brokers dump on April 14th, 2017 and patched by Microsoft on March 14th. As SMB traffic does not communicate directly to the outside world, the attack point was via email and then spread internally via the infected host. After initial infection the virus spread like a worm, probing all hosts within the network for open SMB ports and trying to infect them. Also quite unique for this virus is that it uses different services for performing different tasks, aka Modular Service approach – for example, it uses different services for file dumping, for finding files with particular important extensions and encrypting them, for disabling the shadow copy/system restore, for presenting the screen with the note/demands/payment information – yes that is a separate executable file.
This is what unaffected clients need to do to avoid becoming victims of this ransomware.
1. Patch – regular/automated patching of windows systems would have prevented this malware from doing any damage by removing the vulnerability that could be exploited
2. Security awareness training – organization employees should be aware of the dangers of opening file attachments in emails or clicking on links
3. Advanced malware protection on the endpoints – could stop the execution of the malware in the first stage or downloading and installation of the malware in the second stage
4. Email security – strong email security would have greatly reduced the spread of the malware or disabled any executable files from being delivered to the users (depends on tuning, but even files with unknown status should be blocked and verified before further analysis can be done) or check URLs in emails to determine if they are safe to click (more modern Email protection systems have built in Web URL protection)
5. Web security controls – would help in cases when the infection point happens by URL link in email
6. Advanced IPS with Command and Control botnet detection – would not be effective in the first minutes of the spread but will quickly update itself (depending on vendor) and will detect/drop outgoing CC connections. Traditional firewalls with stateful technology would not help except by blocking SMB traffic based on TCP 139/445 ports (however traditional firewall deployments do not scan internal traffic)
7. Backup your important information in a separate secure location – a reactive approach but very effective towards crypto viruses
Please also refer to updates from the UK National Cyber Security Centre which provide guidance on how to protect against ransomware.
Indicators of compromise
How to check if your network has the malware. Typical indications are listed in the link below
Basically infected clients will request connections to associated IP addresses, in there will be evidence of file transfers with the mentioned SHA-256 fingerprint (keep in mind there are small variations of the virus resulting in multiple fingerprints)
Mitigation techniques (after the attack)
Unfortunately after files are encrypted, it is close to impossible to decrypt them without having the proper key. Most endpoint protection companies give you a list of things to do to remove the virus, mitigate its spread, and be immune in the future but not to recover files. General recommendation vary between different vendors but most of them follow these steps.
1. Make sure your endpoint protection software is running and not disabled
2. Download and install the latest signatures
3. Install the PATCH from Microsoft (MS17-010) which fixed the SMBv1 vulnerability
4. Scan all systems, the virus is detected (usually by this name MEM:Trojan.Win64.EquationDrug.gen), and reboot the system (before that make sure you have the patch installed).
This article was compiled by our Lead Security Consultant Deyan Panchev.